Vendor description:
-------------------
"The WD Arkeia virtual appliance (AVA) for backup provides simple, reliable and
affordable data protection for enterprises seeking to optimize the benefits of
virtualization. The AVA offers all the features of the hardware appliance, but
permits you to use your own choice of hardware."

Business recommendation:
------------------------
The identified path traversal vulnerability can be exploited by unauthenticated
remote attackers to gain unauthorized access to the WD Arkeia virtual appliance
and stored backup data.

SEC Consult recommends to restrict access to the web interface of the WD Arkeia
virtual appliance using a firewall until a comprehensive security
audit based on a security source code review has been performed and all
identified security deficiencies have been resolved by the affected vendor.

An unauthenticated remote attacker can exploit the identified vulnerability in
order to retrieve arbitrary files from the affected system and execute system
commands.

Proof of concept:
-----------------
The path traversal vulnerability exists in the
/opt/arkeia/wui/htdocs/index.php script. The value of the "lang" cookie
is not properly checked before including a file using the PHP include()
function. Example of the request that demonstrates the vulnerability by
retrieving the contents of the /etc/passwd file: